Aerosol Posted January 8, 2015 Report Posted January 8, 2015 I managed to find time to fix a couple of MentalJS bypasses by LeverOne and Soroush Dalili (@irsdl). LeverOne’s vector was outstanding since it bypassed the parsing itself which is no easy task. The vector was as follows:for(var ii/'/+alert(location);0)break//')Basically my parser was inserting a semi colon in the wrong place causing a different state than the actual state executed. My fix inserts the semi colon in the correct place. Before the fix the rewritten code looked like this:for (var i$i$; / '/+alert(location);0)break//')As you can see the variables have been incorrectly joined and so the next state is a regex whereas Mental thinks it’s a divide. After the fix the rewritten code looks like this:for (var i$;i$ / '/+alert(location);0)break//')So now the divide is an actual divide. Technically I shouldn’t be inserting a semi-colon in the for statement, I might fix this at a later stage if I have time.The second bypass was from Soroush that basically assigned innerHTML on script nodes bypassing the rewriting completely. Cool bug. The fix was pretty simple, I prevented innerHTML assignments on script nodes. Here is the bypass:-parent=document.getElementsByTagName('body')[0];img=document.getElementsByTagName('img')[0];x=document.createElement('script');x.innerHTML='alert(location)';parent.appendChild(x);Source Quote
